On Mon, 2006-09-04 at 12:52 +0100, David Howells wrote:> Andrew Morton <akpm@osdl.org> wrote:> > > sony:/home/akpm> ls -l /net/bix/usr/src> > total 0> > > > sony:/home/akpm> showmount -e bix> > Export list for bix:> > / *> > /usr/src *> > /mnt/export *> > Yes, but what's your /etc/exports now? Not all options appear to showmount.> > Can you add "nohide" to the /usr/src and /mnt/export lines and "fsid=0" to the> / line if you don't currently have them and try again?> > > iirc, we decided this is related to the fs-cache infrastructure work which> > went into git-nfs. I think David can reproduce this?> > I'd only reproduced it with SELinux in enforcing mode.> > Under such conditions, unless there's a readdir on the root directory, the> subdirs under which exports exist will remain as incorrectly negative> dentries.> > The problem is a conjunction of circumstances:> > (1) nfs_lookup() has a shortcut in it that skips contact with the server if> we're doing a lookup with intent to create. This leaves an incorrectly> negative dentry if there _is_ actually an object on the server.> > (2) The mkdir procedure is aborted between the lookup() op and the mkdir() op> by SELinux (see vfs_mkdir()). Note that SELinux isn't the _only_ method> by which the abort can occur.> > (3) One of my patches correctly assigns the security label to the automounted> root dentry.> > (4) SELinux then aborts the automounter's mkdir() call because the automounter> does _not_ carry the correct security label to write to the NFS directory.> > (5) The incorrectly set up dentry from (1) remains because the the mkdir() op> is not invoked to set it right.> > The only bit I added was (3), but that's not the only circumstance in which> this can occur.> > > If, for example, I do "chmod a-w /" on the NFS server, I can see the same> effects on the client without the need for SELinux to put its foot in the door.> Automount does:> > [pid 3838] mkdir("/net", 0555) = -1 EEXIST (File exists)> [pid 3838] stat64("/net", {st_mode=S_IFDIR|0755, st_size=0, ...}) = 0> [pid 3838] mkdir("/net/trash", 0555) = -1 EEXIST (File exists)> [pid 3838] stat64("/net/trash", {st_mode=S_IFDIR|0555, st_size=1024, ...}) = 0> [pid 3838] mkdir("/net/trash/mnt", 0555) = -1 EACCES (Permission denied)

This is the point I'm trying to make.I'm able to reproduce this with exports that don't have "nohide".The mkdir used to return EEXIST, possibly before getting to the EACCEStest. It appears to be a change in semantic behavior and I can't seewhere it is coming from. autofs expects an EEXIST but not an EACCES andso doesn't perform the mount. I could ignore the EACCES but that wouldbe cheating.